Logstash is not naming indices based on Filebeat tags

a.sailor · December 7, 2018, 3:35pm

Hi all experts!
I have the following configuration:

Beats:

filebeat.inputs:
 -type: log
  enabled: true
  tags: ["apache-error"]
  paths:
 - /var/log/httpd/error_log

 - type: log
   enabled: true
   tags: ["apache-access"]
   paths:
   - /var/log/httpd/access_log

... and logstash:

 if "apache-error" in [tags] {
            elasticsearch {
                    hosts => ["ES1"]
                    index => "apache-error-%{+YYYY.MM.dd}"
            }
 }

if "apache-access" in [tags] {
            elasticsearch {
                    hosts => ["ES2"]
                    index => "apache-access-%{+YYYY.MM.dd}"
            }
  }

However, indices are shown in ES like this:

filebeat-6.5.1-2018.12.07

Where am i messing up ?
Thanks in advance!

shaunak · December 11, 2018, 1:48am

In your logstash output section, could you temporarily add this section so we can inspect the events being generated?

output {
   # ... existing plugins/if statements

  stdout {
    codec => rubydebug
  }
}

Then restart your Logstash node and look at the event objects being printed out to stdout. That might give you some clue as to why things aren't working as expected. If you can't figure it out, feel free to post a few events from stdout here (with any sensitive information redacted).

system · January 8, 2019, 1:58am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Logstash not writing to ElasticSearch Logstash	2	920	January 30, 2019
Filebeat V7.4.1 output.elasticsearch not writing to defined index "logstash" Beats filebeat	6	618	November 26, 2019
Not able to create /see any indexs in elasticsearch Beats filebeat	2	333	November 13, 2018
From logstash-forwarder to filebeat, how can use tags? Beats filebeat	2	1552	July 5, 2016
New filebeat-related log error Beats filebeat	3	570	August 23, 2018

Logstash is not naming indices based on Filebeat tags

Related topics